Reflected XSS Vulnerability in 尖2 Multiple Comments Plugin by Shen2
CVE-2025-49056

7.1HIGH

Key Information:

Vendor: WordPress
Status: 多说社会化评论框
Vendor: CVE Published:; 14 August 2025

What is CVE-2025-49056?

A Cross-site Scripting (XSS) vulnerability exists in the Shen2 多说社会化评论框 plugin, which allows attackers to inject malicious scripts into web pages viewed by users. This vulnerability is present in versions up to 1.2. When users interact with the affected plugin, it may reflect user input without proper sanitization, enabling attackers to execute arbitrary JavaScript code in the context of the user's browser. This can have serious implications for data theft, session hijacking, and user impersonation.

Affected Version(s)

多说社会化评论框 <= 1.2

References

https://patchstack.com/database/wordpress/plugin/duoshuo/...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 14, 2025
Vulnerability Reserved
May 30, 2025

Credit

Nguyen Xuan Chien (Patchstack Alliance)